[cap-talk] Polaris: Virus Safe Computing for Windows XP
Karp, Alan H
alan.karp at hp.com
Mon Dec 13 13:56:18 EST 2004
Jed Donnelley wrote:
> >The synchronizer updates the file as soon as it detects a
> change to the
> Does that mean it's polling? How does the synchronizer find out
> about such a change?
I haven't looked at the code, but I know you can register for an event
to be sent when a file or directory changes.
> > Indeed, most applications won't open a file for
> write if it's
> >already open for write.
> Notepad apparently does... I haven't tested many others, but
> that seems
> pretty significant to me.
The important thing is that the behavior will be the same with Polaris
as it is without.
> I agree the mechanism in useful to avoid having implicit
> sharing happening through the RunAs user. However,
> touting this value as resulting from "properly distinguishing
> authority from permission" seems somewhat more than
> a bit much - to me.
I agree. I've now removed the offending phrase from the document.
> >Not specifically. If I logged into a pet account and launced Excel
> >directly, there's be no RunAs involved. As long as the
> PowerBox running
> >as a system service recognized this process as running in a
> pet, opening
> >a file would work the same as described in the paper.
> (Well, at least
> >it should, but we don't have the PowerBox running as a
> service today.)
> By "the same" do you mean that the PowerBox will somehow (above)
> detect changes in the file and change the corresponding file
> belonging to another user outside the Pet? If that's so I'll have to
> say that doesn't seem particularly desirable behavior to me. I don't
> know why anybody would (or would be allowed to) login as this
> "pet" user, but if that happened it seems to me to confuse things.
> In that case you would have multiple applications sharing "ambient"
> access to some of these (admittedly indirect) resources - in
> likely violation of POLA.
If I use Polaris to open the file, then there would be a synchronizer,
whether I did a RunAs or logon. Also, there is a separate pet for each
application, or even several pets for the same application. Logging in
to a pet account gives me the same privileges as launching an
application under Polaris, which uses RunAs.
> In contrast the 2 level encapsulation scheme that I outlined
> runs each Windows application under a separate Windows
> emulator which is individually granted resource access strictly
> according to POLA.
> Sorry if I'm not getting it, but it sounds to me like you might
> be getting a bit carried away with your mechanism and losing
> sight of what you're trying to accomplish - at least if I'm
> correctly understanding what you are trying to accomplish.
I'd love to use your encapsulation scheme, and it's exactly what I'd use
on Linux. I just don't know how to do it on Windows. None of the
virtual OSes, ala Xen, works with Windows, and virtual machines are too
heavyweight to have one per process.
> I've got that, but isn't it also important that if multiple
> are running at the same time under Polaris (or when logged into
> the "pet" account) that they each get rights according to
They are to the best of our ability and consistent with usability. For
example, in the Alpha, all files opened by a particular pet are
accessible to all running instances of that pet. That's a violation of
POLA, but creating an account on launch would make the system too slow.
However, each pet runs in a separate account, so a file opened in an
Excel pet is not accessible by an Word pet, or even by a different pet
configured to run Excel.
> Ah. Unfortunate. Is it the lack of the restricted execution
> that's the major problem or the lack of the Windows emulator or ???
If we had an emulator with the right hooks, we could build the
restricted execution environment. That might be a lot of effort, but at
least we'd have a shot at it.
> You indicated that you are considering virtual machine monitors
> for a protected execution environment for Polaris. Isn't
> that over kill
> if all you need is the simpler sort of protected execution environment
> that I discussed? Is it just the fact that some VM monitors are
> available and the simpler facility doesn't seem to be? Using a
> VM monitor for something like Polaris would seem to me to really
> be opening up a can of worms.
Yes, but it's there, and it runs Windows. We now think we can avoid
using a VM by taking advantage of alternate desktops to close the GUI
> >We originally planned to do something along these lines on
> >Linux. Given the resources, we might still.
> It would be of particular interest on Linux I think because you would
> not only get POLA for applications but you'd be getting it for Windows
> applications under Linux. Of course you'd need and could probably
> leverage something like wine to pull it off. Paradoxically on Linux
> it might be more difficult to provide a POLA execution environment
> for Linux applications ;-)
I meant for Gnome or other Linus desktop environments. We also have a
plan for future work that combines CapDesk and Polaris, but I don't know
when we can start working on it.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Size: 433 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20041213/25e43724/KarpAlanH-0001.vcf
More information about the cap-talk